Chrome users beware: Your passwords are vulnerable

By Dave Johnson

Updated on: August 12, 2013 / 9:37 AM
/ MoneyWatch

(MoneyWatch) Do you let your web browser store passwords for you? That might not be such a great idea -- especially if you use Chrome. Indeed, storing passwords in Google's browser is a lot like not having passwords at all.

Last week, software developer Elliot Kember published a blog post that got a lot of attention. In it, he explained how insecure Chrome is at handling passwords. This wasn't news, per se. Chrome has always worked this way, and it's not unknown among the tech savvy, but many sites behaved as if this was a bold new discovery. If nothing else, it's a wake-up call for Chrome users who weren't aware of the browser's vulnerabilities.

Like any other browser, Chrome offers to remember passwords for you so it is easier to access sites and services. That's a convenience, which makes it practical to use different passwords for every website you visit. But unlike Firefox and Internet Explorer, Chrome does not encrypt these passwords, making them easy to see. All you need is physical access to the computer, and you can see each and every password stored in Chrome.

You can see this for yourself. Just open Chrome's password settings dialog box (chrome://settings/passwords) -- you should see a list of all your logins -- and click the Show button to see the actual password. Note that Chrome doesn't require a master password to gain access. Anyone sitting in front of your PC (or with remote access to your PC) can see this.

Surprisingly, Google is totally unrepentant and has defended its decision to display all of your passwords without any protection, or even the option to protect them. But the recent scrutiny of Chrome may make this position untenable, and I predict Google will add some sort of master password to the password database before too long.

Until then, though, what should you do? Simple: Don't store passwords in a browser -- any browser, actually, though Chrome is the worst offender. Instead, use a password keeper app like LastPass or Roboform. These apps are much more secure and designed from the ground up to protect your passwords and make it easy to access login information from multiple devices and browsers.